From 8437c464e539665984ca816ef694f29bed916750 Mon Sep 17 00:00:00 2001
From: Ricardo Bartels <ricardo@bitchbrothers.com>
Date: Thu, 9 May 2019 14:55:25 +0200
Subject: [PATCH] refine ssl insecure and client certificate options

* default TLS Protocols are now set to >= TLS1
* --cacert and --cert are no longer mandatory if option -s is used
* proper error messages if parsing of cert or key files fails
---
 check_http_json.py | 39 +++++++++++++++++++++++++++++++--------
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/check_http_json.py b/check_http_json.py
index 67355b4..64a8748 100755
--- a/check_http_json.py
+++ b/check_http_json.py
@@ -390,12 +390,8 @@ def parseArgs():
     parser.add_argument('-k', '--insecure', action='store_true',
                         help='do not check server SSL certificate')
     parser.add_argument('--cacert',
-                        required=('-s' in sys.argv or '--ssl' in sys.argv)
-                        and not ('-k' in sys.argv or '--insecure' in sys.argv),
                         dest='cacert', help='SSL CA certificate')
     parser.add_argument('--cert',
-                        required=('-s' in sys.argv or '--ssl' in sys.argv)
-                        and not ('-k' in sys.argv or '--insecure' in sys.argv),
                         dest='cert', help='SSL client certificate')
     parser.add_argument('--key', dest='key',
                         help='SSL client key ( if not bundled into the cert )')
@@ -680,13 +676,40 @@ if __name__ == "__main__":
     nagios = NagiosHelper()
     if args.ssl:
         url = "https://%s" % args.host
+
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+        context.options |= ssl.OP_NO_SSLv2
+        context.options |= ssl.OP_NO_SSLv3
+
         if args.insecure:
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+            context.verify_mode = ssl.CERT_NONE
         else:
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
             context.verify_mode = ssl.CERT_OPTIONAL
-            context.load_verify_locations(args.cacert)
-            context.load_cert_chain(args.cert,keyfile=args.key)
+            if args.cacert:
+                try:
+                    context.load_verify_locations(args.cacert)
+                except ssl.SSLError:
+                    nagios.append_unknown(
+                    ''' Error loading SSL CA cert "%s"!'''
+                    % args.cacert)
+
+            if args.cert:
+                try:
+                    context.load_cert_chain(args.cert,keyfile=args.key)
+                except ssl.SSLError:
+                    if args.key:
+                        nagios.append_unknown(
+                        ''' Error loading SSL cert. Make sure key "%s" belongs to cert "%s"!'''
+                        % (args.key, args.cert))
+                    else:
+                        nagios.append_unknown(
+                        ''' Error loading SSL cert. Make sure "%s" contains the key as well!'''
+                        % (args.cert))
+
+        if nagios.getCode() != OK_CODE:
+            print(nagios.getMessage())
+            exit(nagios.getCode())
+
     else:
         url = "http://%s" % args.host
     if args.port: